1. Field of the Invention
This invention relates generally to the field of automated access management control and more particularly to a method, system, and software for centralized enterprise access management control for multiple applications.
2. Background of the Related Art
Business applications that manage proprietary data must integrate some access control into their service to protect the business data from unauthorized access and/or use. To accomplish this result new applications must each build appropriate access control. This requires application developers to design and develop access control features each time a new application is developed. This process is both time consuming and inefficient and also consumes valuable developer resources that are in short supply in a business environment in which rapid application development and deployment is critical since time to market is often a critical success factor for businesses.
Another problem with having several different access management control schemes across different applications in an enterprise is that additional administrator training and resources are required to implement these different access management control schemes.
Furthermore, often a single pool of users use several of these different business applications across an enterprise. Setting up the users separately for each of these different business applications is inefficient and can negatively impact productivity because some users are not correctly set up across all the different business applications that they need to access.
Therefore, it is a general object of the invention to alleviate the problems and shortcomings identified above.
In one aspect, the present invention provides a computer implemented method of providing enterprise access management control, including the steps of: receiving access management control schemas from a plurality of registered applications; centrally storing the received access management control schemas associated with their respective registered applications; and providing a respective access management control schema to a requesting one of the plurality of applications.
In one aspect, the method of the present invention further includes receiving user privilege sets for users of a registered application; and storing the received user privilege sets for users of the registered application.
In a further aspect, the present invention includes receiving a request for a user privilege set of a user of the registered application from the registered application; and returning the requested user privilege set to the registered application.
In a further aspect, the method of present invention includes the registered application verifying an action request from the user against the returned user privilege set and granting or denying the action request based on the results of verifying the action request.
In a further aspect of the present invention the access control schema includes access control rules that control access to at least one of data or actions.
In another aspect of the present invention, the access control schema includes privilege sets that are available for assignment to principals that include users, companies, or roles.
In a further aspect of the present invention, the access control rules define which actions are permissible for which principals.
In one important aspect, the present invention includes a computer readable data storage medium having program code recorded thereon for providing enterprise access management control, the program code including: a first program code for receiving access management control schemas from a plurality of registered applications; a second program code for centrally storing the received access management control schemas associated with their respective registered applications; and a third program code for providing a respective access management control schema to a requesting one of the plurality of applications.
In a further aspect of the present invention, the program code includes a fourth program code that receives user privilege sets for users of a registered application; and a fifth program code that stores the received user privilege sets for users of the registered application.
In yet another aspect, the program code according to the present invention includes: a sixth program code that receives a request for a user privilege set of a user of the registered application from the registered application; and a seventh program code that returns the requested user privilege set to the registered application.
In another important aspect, the present invention provides a system for automated enterprise access management control that includes: an access manager service that receives access management control schemas from a plurality of registered application; and an access management data store that stores the received access management control schemas associated with their respective registered applications, wherein the access management service provides a respective access management control schema to a requesting one of the plurality of applications.
In another aspect, the access manager service receives privilege sets for users of registered applications, and stores the received privilege sets in the access control data store.
In a further aspect, the system of the present invention includes an access manager toolkit for a registered application that requests a privilege set for a user of the registered application, wherein the access manager service returns the requested privilege set to the registered application and the access manager toolkit of the registered application verifies an action request from a user against the returned privilege set to grant or deny access to the user based on results of the verification.